IPSEC / Crypto map configuration: Need to open firewall ports?

Answered Question
Jan 9th, 2008
User Badges:

Hi Experts,

I have the diagram below:


Server A -> A Firewall -> Router A <-> Router B <- B Firewall <- Server B


I am trying to do crypto map between Router A and B. There is NATed being done at both the firewall end.


Server A: 192.168.5.11

NATed at Firewall to 203.120.5.11


Server B: 172.16.16.11

NATed at Firewall to 203.123.16.11


I have done a permit access -list for 203.120.5.11 and 203.123.16.11 for the crypto map configuration.


But my question is whether i need to open any ports at the firewall end?


Currently the crypto not able to up.


Thanks.


Correct Answer by Jon Marshall about 9 years 2 months ago

Cindy


At the risk of making your headache worse :)


Phase 1 of your IPSEC is working fine.


The key bit out of your error file is


local_proxy= 172.26.128.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.23.184.0/255.255.255.0/0/0 (type=4),

Jan 9 08:32:45.649 GMT: IPSEC(validate_transform_proposal): proxy identities not supported


This is telling you that the routers disagree between what the local and remote networks are.


As you are Natting your servers to 203.x.x.x addressing these should not be the local and remote subnets.


Can you recheck your crypto map access-list and if still not clear post your router configs.


Jon


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Wed, 01/09/2008 - 00:23
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Cindy


If the IPSEC tunnel is between the 2 routers which it sounds as if it is then the answer is it depends :). As an example


Server A telnets to Server B.


1) Is there an access-list on the A firewall on the inside interface that might stop the traffic reaching router A.


2) If not can you confirm that the firewall is doing the NAT translation correctly.


3) Assuming 1 & 2 are okay is there a rule on firewall B that allows telnet traffic from ServerA to Server B.


If 3 is okay then no you should not have to open any more ports because the return traffic will be allowed as the ASA's are stateful firewalls.


If you are using something like ping between the 2 servers you may need additional access-list entries.


When you try to initiate a connection and you have


debug crypto isa

debug crypto ipsec


turned on on router A do you see anything ?


Jon


cindylee27 Wed, 01/09/2008 - 00:36
User Badges:

Jon,

well the network layer is up.can ping without the crypto map configured and confirmed that the NAT working by pinging the nat ip.


headache now..



log as attached.


thanks!





Correct Answer
Jon Marshall Wed, 01/09/2008 - 00:50
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Cindy


At the risk of making your headache worse :)


Phase 1 of your IPSEC is working fine.


The key bit out of your error file is


local_proxy= 172.26.128.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.23.184.0/255.255.255.0/0/0 (type=4),

Jan 9 08:32:45.649 GMT: IPSEC(validate_transform_proposal): proxy identities not supported


This is telling you that the routers disagree between what the local and remote networks are.


As you are Natting your servers to 203.x.x.x addressing these should not be the local and remote subnets.


Can you recheck your crypto map access-list and if still not clear post your router configs.


Jon


cindylee27 Wed, 01/09/2008 - 01:11
User Badges:

Jon,

Great! Headache reduce tremendously..! :D

Put in the access list to any any..n yup,

you are right on the routers not agreeing on the local n remote networks..


i am there already..:) can see the encrpytion traffic already..thanks a lot!



Jon Marshall Wed, 01/09/2008 - 01:15
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Cindy


Glad to be of help and appreciate the rating.


Good advert for Netpro - better than headache pills :)


Jon

Actions

This Discussion